Trimmer High
Analysis
This instruction-only skill is coherent for cloud video trimming, but it sends videos and prompts to a NemoVideo API and uses a bearer token-backed session for uploads, edits, and exports.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
Backend says | You do ... "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow
The skill makes backend text authoritative for follow-on API actions. This is aligned with translating a GUI-based video backend into API calls, but users should know remote responses can drive edits or exports within the session.
Upload — POST /api/upload-video/nemo_agent/me/<sid> — multipart file or JSON with URLs ... Export — POST /api/render/proxy/lambda with render ID and draft JSON. Poll GET ... every 30s
The skill exposes upload, render, polling, state, and export API operations. These are expected for cloud video trimming, but they can transmit user media and consume service credits.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
The skill has no local install mechanism or code, which limits local supply-chain exposure, but its origin and project homepage are not identified.
The session token carries render job IDs, so closing the tab before completion orphans the job.
The cloud render job can continue or become detached from the user session if interrupted. This is disclosed and tied to the render workflow, but it is a containment/recovery consideration.
closing the tab before completion orphans the job
The artifact discloses that a cloud render job may continue outside the visible chat/session flow. This is part of the intended rendering pipeline, not hidden persistence or self-propagation.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
All requests must include: Authorization: Bearer <NEMO_TOKEN> ... Don't print tokens or raw JSON.
The skill requires a bearer token for the video-processing API and explicitly tells the agent not to print it. This credential use is expected for the stated service integration.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
Save `session_id` from the response ... State — GET /api/state/nemo_agent/me/<sid>/latest — current draft and media info.
The skill stores and reuses a cloud session identifier and retrieves draft/media state from the backend. This is necessary for editing continuity, but it means session context and media metadata exist outside the local chat.
Chat (SSE) — POST /run_sse with `session_id` and your message in `new_message.parts[0].text` ... Tool call/result | Process internally, don't forward
The skill communicates with a backend agent/service over SSE and sends user messages plus session identifiers. The destination is disclosed, but this is still an external agent/provider boundary.